charm does not report landscape client certificate validation errors when its connecting to the server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
landscape-client-charm |
New
|
Undecided
|
Unassigned |
Bug Description
Tried to continue with a workaround for https:/
landscape-client fails to connect to landscape server due to certificate validation errors, meanwhile landscape-client just reports "Need computer-title and juju-info to proceed" which is confusing and incorrect because both are present during hook runtime.
There are two problems here:
1) landscape-haproxy did not propagate a correct certificate to the landscape server for some reason;
2) landscape-client charm does not do proper error reporting.
More information below:
landscape-
sudo grep -P "computer.
account_name = standalone
computer_title = juju-8d7ebe-5
Landscape is behind haproxy which has a self-signed certificate used for TLS termination:
juju status | grep 10.190.92.180
landscape-
0 started 10.190.92.180 juju-8d7ebe-0 bionic Running
A certificate used on haproxy for TLS termination:
openssl s_client -connect 10.190.92.180:443 | openssl x509 -noout -text
https:/
A certificate for landscape server on a client machine which has different modulus values:
openssl x509 -in /etc/ssl/
https:/
A certificate
relation-get ssl-public-key | grep -oP "^base64:\K.*" | base64 -d | openssl x509 -text -noout
https:/
unit-landscape-
juju run --unit landscape-server/0 'relation-get -r website:5 ssl_cert landscape-
https:/
landscape-
frontend landscape-
bind 0.0.0.0:443 ssl crt /var/lib/
less /var/lib/
-----BEGIN CERTIFICATE-----
MIIBxzCCATCgAwI
BAMMDTEwLjE5MC4
WjAYMRYwFAYDVQQ
ADCBiQKBgQDUJqh
H8Q2FI8tEjEqqJe
LjlAFGPhMgjoLAB
FzAVBgNVHREEDjA
5SFdib9HAKxFd/
I8El6Ow8kuM9o9L
SHC044hWkXNRetZ
-----END CERTIFICATE-----
<redacted-
The above cert decoded:
cat | openssl x509 -text -noout
https:/
bundle:
https:/
/var/log/
2018-10-30 16:15:06,224 INFO [MainThread] Broker started with config /etc/landscape/
2018-10-30 16:15:06,333 INFO [MainThread] Starting urgent message exchange with https:/
2018-10-30 16:15:06,367 ERROR [PoolThread-
Traceback (most recent call last):
File "/usr/lib/
curl.perform()
pycurl.error: (60, 'server certificate verification failed. CAfile: /etc/ssl/
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/
message_api)
File "/usr/lib/
headers=
File "/usr/lib/
raise PyCurlError(
landscape.
2018-10-30 16:15:06,368 ERROR [MainThread] Message exchange failed: server certificate verification failed. CAfile: /etc/ssl/
2018-10-30 16:15:06,368 INFO [MainThread] Message exchange failed.
2018-10-30 16:15:06,368 INFO [MainThread] Message exchange completed in 0.03s.
2018-10-30 16:16:06,369 INFO [MainThread] Starting urgent message exchange with https:/
2018-10-30 16:16:06,436 ERROR [PoolThread-
Traceback (most recent call last):
File "/usr/lib/
curl.perform()
pycurl.error: (60, 'server certificate verification failed. CAfile: /etc/ssl/
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/
message_api)
File "/usr/lib/
headers=
File "/usr/lib/
raise PyCurlError(
landscape.
2018-10-30 16:16:06,436 ERROR [MainThread] Message exchange failed: server certificate verification failed. CAfile: /etc/ssl/
2018-10-30 16:16:06,437 INFO [MainThread] Message exchange failed.
2018-10-30 16:16:06,437 INFO [MainThread] Message exchange completed in 0.07s.
2018-10-30 16:16:07,434 INFO [MainThread] Broker stopped with config /etc/landscape/
Related branches
- 🤖 Landscape Builder: Needs Fixing (test results)
- Landscape: Pending requested
-
Diff: 37 lines (+17/-1)1 file modifiedhooks/common.py (+17/-1)
Changed in landscape-client-charm: | |
assignee: | nobody → Alexander Litvinov (alitvinov) |
Changed in landscape-client-charm: | |
assignee: | Alexander Litvinov (alitvinov) → nobody |
The unit can even go into this state while actually failing on TLS certificate verification:
ubuntu/1* active idle 5 10.190.92.107 ready client/ 3* active idle 10.190.92.107 System successfully registered
landscape-